Historic records in California - breach notification

Privacy Incident
Frequently Asked Questions
1. What happened?
On December 23, 2022, the California Secretary of State (SOS) was notified by a
researcher that the records they were provided to view contained records not older
than 75 years. Pursuant to Government Code section 12237, all records 75 years and
older within Archives are public. Records given to the researcher to view pertained to
the State’s forced sterilization program that was conducted in California during the
time period of 1909-1979. The records were provided to the researcher on December
19, 2022 (onsite) and December 22, 2022 (via secure digital transfer) and viewed on
December 23, 2022. When the inadvertent disclosure of records dated from 1948-
1954 was discovered by the researcher, the researcher confirmed they did not view
the materials in detail and indicated the PDF copy of the roll of transferred microfilm
provided to them for viewing had a mislabeled date range. Our subsequent review of
the materials less than 75 years old determined that the documents contained
personally identifiable information and medical information. Once the mistake was
discovered, the researcher confirmed to SOS that upon recognizing the age of the
records, they notified Archives staff immediately, and deleted any material from their
computer.
2. When did it happen? (Why didn’t you notify me sooner?)
The incident occurred on December 19, 2022 (onsite) and on December 22, 2022
(via secure electronic transfer). The SOS was notified immediately by the researcher
when it was discovered. The SOS has been working swiftly to pull, screen, and redact
the records; however, due to the historical nature of the documents, aging microfilm,
and the complexity of information contained within the records, screening and
identification of individuals has taken time.
3. Why did you have my personal information?
Historical records are sent to the Secretary of State’s office by state agencies and
pursuant to Government Code section 12237 are available to be viewed by the public
after 75 years.
4. What specific items of my personal information were involved?
• Patient first and last names
• Family member first and last names
• Dates of Birth for some individuals
• Familial history and familial medical history
• Medical information such as diagnosis, dates of operations, dates of
sterilization and other unrelated medical history
5. What are you doing about the breach? How will you prevent this from
happening in the future?
SOS investigated the incident and has pulled the impacted records from public
access while a detailed review of the records is being conducted. SOS
confirmed with the researcher that all affected materials have been deleted.
SOS has removed the researcher's electronic access to the records
transferred electronically. After pulling the records, screening, and redacting
the materials, the SOS believes it is unlikely that there will be any further
unauthorized disclosure.
At this time, SOS has no evidence that there has been any use or attempted
use of the information compromised by this incident. SOS is providing this
notice so that those individuals potentially affected may be aware of what
happened and can take the necessary steps to monitor any unusual activity
regarding their personal information.
Due to the age of the records, SOS is notifying any affected individuals via this
Privacy Incident Notice of the potential that Personally Identifiable Information
(PII) may have been compromised.
6. What else can I do to protect myself?
You can place a fraud alert on your credit files. Simply call any one of the three
credit bureaus at the numbers provided below and follow the “fraud victim”
instructions. The one you call will notify the others to place the alert. When you call
the credit bureau fraud line, you will be asked for identifying information and will be
given the opportunity to enter a phone number for creditors to call. You may want to
make this your cell phone number.
 Trans Union – 1-800-680-7289
 Experian – 1-888-397-3742
 Equifax – 1-800-525-6285
7. This notice pertains to my family member, who is deceased. What should I
do?
See the California Department of Justice’s information sheet Identity Theft and the
Deceased on the Identity Theft page at https://oag.ca.gov/idtheft/facts/deceased.